Monday, December 28, 2015

Looking at the Language of IPv6

by Craig Miller

Trouble with Quibbles

Perhaps I should back up the train a bit, and talk about the IPv6 address and what the parts are called. An example IPv6 address is 2001:0DB8:ABCD:EF01:0001:002:0003:0004 * The address is made of of 8 groups of hexadecimal groups representing 16 bits, separated by colons.

Blowing Chunks

But what is each group of 4 hexidecimal letters called? Apparently it has taken the IETF 13 years to realize a name was needed. Back in 2011, in true IETF style, a draft RFC was created to foster discussion. It is interesting to look at the evolution of the draft RFC proposal (Naming IPv6 address parts). In the earlier drafts (e.g. draft-2), you can see the following suggestions:

Chazwazza

Chunk

Column

Colonade, Colonnade

Doctet

Field

Hexadectet

Hit

Orone

Part

Provider number, customer number, network number

Quad nibble, qibble, quibble

Segment

Tuple

Word

All had reasons for why they represented 16 bits of information, and would not be confusing with other networking terms.

And in light conversation...

As you progress to the 4th revision of the RFC (Naming IPv6 address parts) you will find that they paired the list down to two.

Hextet

Quibble

Hextet is the official name based on revision 4, with Quibble to allowed in informal conversation. However the RFC was never standardized (there is no RFC number assigned), so it appears to be still up for grabs.

Monday, December 21, 2015

IPv6 Tools

by Craig Miller

IPv6 Tools

Just like the old saying, "with a hammer, everything looks like a nail" we tend to over use ping or ping6 to troubleshoot our networks. In this post, I wanted to share some other tools which I use in debugging networks.

IP

ip is the successor to the venerable ifonfig. And with good reason, as ip can tell you much more about your configuration. It is installed by default on most distros, and usually lives at /sbin/ip.

link status

ip can display the status of the link (Layer 2 in the OSI model), as well as allow configuration of a VLAN based interface. To display the the link status use:

As you can see, there are many SLAAC temporary addresses (RFC 4941) on the eth0 interface.

But wait, there's more!

routing

ip can also display IPv4 and IPv6 routing. Remember that IPv6 is a different network protocol (Layer 3), and packets can flow differently than their IPv4 counter parts. No surprises looking at the IPv4 routes:

rdisc6

While ip will tell you the configuration of the host, rdisc6 will tell you the configuration of your router, or at least what it is sending out as Router Advertisements (RAs). RAs send out prefixes, and controls whether clients will start DHCPv6 clients (RFC 3315), with the A, M, and O flags. rdisc6 will make a router solicitation (RS), and print out the RA in response.

The Stateful address is the M flag, and Stateful other config, is the O flag. You can also see that two prefixes are being advertised into this network (the prefix advertised by my ISP is dynamic, where as my Hurricane Electric tunnel prefix is static).

There is a companion utility ndisc6 which will generate neighbour solicitations (NS). I don't use it much, but in order to install rdisc6, you will most often install the ndisc6 package.

v6disc

In addition to the tools above, I have written an IPv6 automatic discovery tool which you can find on github. v6disc.sh will detect which interfaces are up, and query all IPv6 nodes. if you have been wondering when nmap my scan your IPv6 networks, wait no longer. v6disc also has a Dual Stack option which will correlate IPv6 and IPv4 addresses, making your transition to IPv6 easier.

There's even a quiet mode which just returns the discovered hosts addresses without all the chatter (good for scripting). v6disc is open source (GPL) and can be found on github at https://github.com/cvmiller/v6disc

Other Tools

Of course there are the network x-ray tools, tcpdump and wireshark.But are too big to properly cover in this post, so I'll cover in another post.

Happy Network

The keys to troubleshooting are know where you are at (ip addr), know where you are going (ip route), and what is out there (rdisc6 & v6disc). With these powerful, yet easy to use tools, your IPv6 network will be humming along in no time.

Monday, December 14, 2015

Fragmenting IPv6

by Craig Miller

headers), and one of those extension headers was the fragmentation extension header.

It's Different

Fragmentation happens differently from IPv4. Instead of the routers realizing that the packet is too large for the next hop, and fragmenting the packet, only the source host will fragment a packet. If an IPv6 router sees a packet that is too large for the next hop, it will drop the packet, not fragment.

When to Fragment?

How does the source host know what MTU (Maximum Transfer Unit) size to use? By sending a path MTU discovery (PMTUD RFC 4821 ). A probe packet is sent using the link MTU to the destination. If there is a link along the path that where the packet is too big, the router will drop it, and send back and ICMPv6 packet too big message. The source host will then decrease the payload size of the packet.

Most of the time, because of PMTUD, packet size will be scaled back to fit the smallest MTU size of the path, and no fragmentation will be required.

It is for this reason, that packets sent to other hosts on the same link should never be fragmented. Remember the RA Guard vulnerability? When fragmented packets are rejected from hosts on the same link, this vulnerability is eliminated.

Why Fragment?

If PMTUD works so well, when would it make sense to see a fragmented packet? If everything worked right, there would never be fragmentation. However the creators of IPv6 didn't want to assume everything would always work correctly. So they added the ability for the source host to fragment packets when needed.

There are some UDP applications which do not pay attention to PMTUD, and send out packets of their own desired length. When the stack receives such a packet, and through PMTUD it knows that this packet will not successfully cross the path to the destination, the stack on the source host will fragment the packet, and add a fragment extension header. See RFC 2460 section 4.5 for full details the specifics of fragmentation extension header values.

Guidelines

Some key thoughts about IPv6 fragmentation

It is almost never required, thanks to PMTUD.

Source hosts do fragmentation, not routers in IPv6.

Be wary of ICMPv6 packets which are fragmented (a method of circumventing RA Guard).

Fragmentation is an option in IPv6, but it is an expensive option (both source and destination have to keep track of fragments used, splitting and reassembling packets). Thanks to PMTUD, it is rarely used. IPv6, and it makes networking simpler.

Sunday, December 6, 2015

Extending IPv6

by Craig Miller

IPv6 Extension Headers

Extending the reach

There was great concern when IPv6 was being created in the '90s about the increase in size of the IP header. After all, the IP source and destination addresses were increasing from 4 to 16 bytes each. It was important to keep the header size to a minimum, since every packet would have a header, and it represents overhead. After all, sending packets isn't about the headers, it is about the data that is being carried (e.g. web, streaming video, voice over IP, etc.).

By rearranging things, and removing fields (like the header checksum), the creators of IPv6 managed to make the new header only 40 bytes long.

But in removing as much as possible, the IPv6 header was stripped of many common things we have come to expect, such as fragmentation, and encryption. The concept of extension headers was added. It is important to know about extension headers, as they can also be misused to cause problems in your network.

IPv6 extension headers are inserted after the IPv6 header and before the layer 4 (think: tcp, udp) header.The purpose of some of the extension headers are obvious, such as Fragment, Authentication (authenticated header), and ESP. Let's look at the less obvious ones.Hop-by-hop options: It was thought that there may be cases where the forwarding routers might need more information than what was left in the pared down IPv6 header.

Destination options: This is used to pad the header to align it to an 8 byte boundary, making it easier for the destination host to process.

Security concerns

Many extension headers do not make sense between two hosts on the same link. For example, fragmentation. If both hosts are on the same link, there should be no need to fragment (remember IPv6 fragmentation is only done by the sender, not by the routers). Therefore, a host on the same link should not accept a packet with a fragmentation extension header.Why is this a problem? Remember router advertisements (RAs)? These are only transmitted on a link (e.g. do not cross routers). Remember also that RAs define a network prefix, and a default gateway. What if a BAD person where to transmit their own RAs, telling hosts on the link that the BAD person was the default router. This would be a excellent method to do man-in-the-middle attack, since now all packets would travel through the BAD guy.Cisco implemented a feature (in hardware) called RA Guard to block against this. Their layer 2 switches would examine packets for RAs, and discard them if they weren't from a designated router port. But the BAD guys figured out that they could use an extension header, like the fragmentation header, to pad out the RA packet a bit, and get past RA Guard.Valid RAs should never be encapsulated in a fragmentation extension header, since RAs are always transmitted on the same link as the receiving host.

More extension headers

Since RFC 2460 was written in 1998, more extension headers have been added to IPv6. RFC 7045 gives a good list of current extension headers. Here are some additional headers added since RFC 2460:

Extend this ...

You don't have to be an extension header expert to use IPv6. Most IPv6 packets will have no extension headers. They add back functionality that was stripped out of the IPv6 header, and used only when needed. Every networking mechanism has vulnerabilities and complexities. IPv6 simplifies many things in your network, and most likely you won't have problems with extension headers. Knowing about them, can help you troubleshoot, and fix your network faster.